Announcement

Epic for Android is live. Get it in the Play Store. We're EpicBrowser on Twitter and on Facebook. Please feel free to also email our Founder directly with issues or questions: alok at hiddenreflex dot com

VPN users are facing a massive security flaw as websites can easily see their home IP-addresses through WebRTC. The vulnerability is limited to supporting browsers such as Firefox and Chrome, and appears to affect Windows users only. Luckily the security hole is relatively easy to fix.

The Snowden revelations have made it clear that online privacy is certainly not a given.

Just a few days ago we learned that the Canadian Government tracked visitors of dozens of popular file-sharing sites.

As these stories make headlines around the world interest in anonymity services such as VPNs has increased, as even regular Internet users don’t like the idea of being spied on.

Unfortunately, even the best VPN services can’t guarantee to be 100% secure. This week a very concerning security flaw revealed that it’s easy to see the real IP-addresses of many VPN users through a WebRTC feature.

With a few lines of code websites can make requests to STUN servers and log users’ VPN IP-address and the “hidden” home IP-address, as well as local network addresses.

The vulnerability affects WebRTC-supporting browsers including Firefox and Chrome and appears to be limited to Windows machines.

A demo published on GitHub by developer Daniel Roesler allows people to check if they are affected by the security flaw.

A demo published on GitHub by developer Daniel Roesler allows people to check if they are affected by the security flaw.

First of all, media device enumeration works only in Chromium-based web browsers since Chrome 30 or later.

Device ID's — it's a unique identifiers of an audio/video devices installed in your system. Even if you have no microphone/webcam, Chrome may detect more than one device, such as «Line In», «Aux», «CD Player», etc, depending on the system drivers.

Full list of available media devices you can check in «chrome://settings/content ⇒ Media»

Of course, Google Chrome does not allow foreign websites to see the actual Model ID of your hardware devices, instead it provides self-generated hashes. But at the same time, any website is allowed to take this fingerprints without user confirmation.

How persistent and trackable these Device ID's?

Well, for most users this ID's may remain unchanged for months.

WebRTC Device ID is a HMAC of:

Value of the "media":{"device_id_salt"} located in «Chrome\Data\profile\Preferences». Salt generates randomly at the Chrome's first launch. It's renew every time user doing «Clear browsing data ⇒ Cookies and other site and plug-in data». Also, Incognito Mode does not touch «device_id_salt», but generates its own salt for every session.

Origin, aka «protocol://hostname:port». This dependence is not a problem for user tracking, script can be requested from constant host through iframe, and it will be same origin and same Device ID's on any domains.